Accepting request 988924 from home:jsegitz:branches:security:SELinux

- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t
  (bsc#1200911)

- postfix: Label PID files and some helpers correctly (bsc#1197242)

- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)

OBS-URL: https://build.opensuse.org/request/show/988924
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=134

fix_postfix.patch

@@ -1,8 +1,8 @@
-Index: fedora-policy/policy/modules/contrib/postfix.fc
+Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.fc
+--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy/policy/modules/contrib/postfix.fc
++++ fedora-policy-20220624/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,20 @@
+@@ -1,37 +1,21 @@
  # postfix
 -/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 -/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
@@ -41,6 +41,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 +/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
 +/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib/postfix/systemd/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -56,7 +57,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
  /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
  /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
  /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
+@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
  /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
  /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  
@@ -66,10 +67,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
  /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
  
  /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
-Index: fedora-policy/policy/modules/contrib/postfix.te
+ /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+ /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+ /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+Index: fedora-policy-20220624/policy/modules/contrib/postfix.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.te
+--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy/policy/modules/contrib/postfix.te
++++ fedora-policy-20220624/policy/modules/contrib/postfix.te
 @@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
  
  userdom_use_inherited_user_ptys(postfix_map_t)

fix_systemd.patch

@@ -1,7 +1,7 @@
-Index: fedora-policy-20220428/policy/modules/system/systemd.te
+Index: fedora-policy-20220624/policy/modules/system/systemd.te
 ===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/systemd.te
+--- fedora-policy-20220624.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20220428/policy/modules/system/systemd.te
++++ fedora-policy-20220624/policy/modules/system/systemd.te
 @@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system
  xserver_dbus_chat(systemd_logind_t)
  
@@ -24,3 +24,12 @@ Index: fedora-policy-20220428/policy/modules/system/systemd.te
  #######################################
  #
  # rfkill policy
+@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
+ # systemd_gpt_generator domain
+ #
+ 
+-allow systemd_gpt_generator_t self:capability sys_rawio;
++allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
+ allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ dev_read_sysfs(systemd_gpt_generator_t)

fix_userdomain.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy-20220624/policy/modules/system/userdomain.if
+===================================================================
+--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
++++ fedora-policy-20220624/policy/modules/system/userdomain.if
+@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
+ 
+ 	# port access is audited even if dac would not have allowed it, so dontaudit it here
+ #	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
++	corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
+ 	# Need the following rule to allow users to run vpnc
+ 	corenet_tcp_bind_xserver_port($1_t)
+ 	corenet_tcp_bind_generic_node($1_usertype)

selinux-policy.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t
+  (bsc#1200911)
+
+-------------------------------------------------------------------
+Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- postfix: Label PID files and some helpers correctly (bsc#1197242)
+
+-------------------------------------------------------------------
+Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
+
 -------------------------------------------------------------------
 Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 

selinux-policy.spec

@@ -141,6 +141,7 @@ Patch057:       fix_hypervkvp.patch
 Patch058:       fix_bitlbee.patch
 Patch059:       systemd_domain_dyntrans_type.patch
 Patch060:       fix_dnsmasq.patch
+Patch061:       fix_userdomain.patch
 
 Patch100:       sedoctool.patch